Using Passive Authentication in IdentityServer with OWIN in MVC5

3
votes

I am trying to set up a proof of concept to move our Forms Authentication with a SQL Membership provider into a brokered authentication process. In order to do this, I am planning on leveraging Thinktecture's Identity Server 2 as the identity provider.

I have downloaded IdentityServer 2 and installed it and tried following the instructions from here: http://www.cloudidentity.com/blog/2014/02/20/ws-federation-in-microsoft-owin-componentsa-quick-start/

However, whenever I try to access a controller action which is restricted by the AuthorizeAttribute, I get an HttpResponse of 401 instead of a redirect to the IdentityServer's login page. The Startup.Auth.cs is set up with the following:

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
        });


        app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
          {
              MetadataAddress = "https://dvancuykidstrial.cloudapp.net/FederationMetadata/2007-06/FederationMetadata.xml"
              ,Wtrealm = "http://owin2.testing.com/"
              ,AuthenticationMode = AuthenticationMode.Passive
              ,BackchannelCertificateValidator = new FakeCertificateValidator()
          });

    }
}

Incidentally, the FakeCertificateValidator is simply an implemnentation of ICertificateValidator which merely returns true when the Validate function is invoked. This just lets me get past the self-signed certs I'm using for the PoC.

public class FakeCertificateValidator : ICertificateValidator
{
    public bool Validate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        return true;
    }
}

Can anyone see what I am doing wrong here?

2
c#authenticationasp.net-mvc-5owin
I'm getting the same result. I've tried with both the 3.0.0-alpha1 version of the Owin packages which that tutorial references as well as the current 3.0.0-beta1 version.BenV
Do you get the same result using the 3.0.0-rc1 OWIN packages released yesterday?BenV
BenV- I have not. I'm temporarily working on another item right now and this has been shelved. But when I was working on it earlier this week, I was using the latest from the Katana's solution on github. Have you tried it? Are these working for you?Derek Van Cuyk

2 Answers

11
votes

I got my answer from here: https://katanaproject.codeplex.com/discussions/551624. The problem turns out to be that I had set the following: 

AuthenticationMode = AuthenticationMode.Passive

The differences between the two modes according to the discussions are as follows:

In passive mode the middleware need to be invoked by name. In active mode the middleware will kick in for any 401 response

I had assumed (incorrectly) that the differences between the two modes were more along the lines of: Active and Passive Federation in WIF

1
votes

I'm using OpenIdConnect instead of Federation but the symptom was the same so maybe this will help. I got my app working after I pulled in the 3.0.0-rc1 OWIN packages from nuGet. Also my proxy settings were not getting picked up for some reason, so I had to add a section to my web.config:

<system.net>
  <defaultProxy>
    <proxy  proxyaddress="http://your.proxy.server.com"/>
  </defaultProxy>
</system.net>